Living and working in a riskier world From Risk Management to Risk Leadership

20 March 2014

Julia GrahamFERMA President

What we stand for

Co-ordinate, promote and support the development and use of risk management, insurance and risk financing in Europe

Be a significant stakeholder in the decision making process at the European level on risk management, insurance and risk financing – Profession– Innovation– Diversity

We go where others do not go

Leading risk management and insurance across Europe

Where we are

22 member associations in 20 countries

4336 individual members who are responsible for risk management and / or insurance in their organisations

Who we are

Our leadership team

Pierre SonigoSecretary

General

Florence BindelleExecutive Manager

Alessandro de Felice

Vice President

Michel DenneryVice President

Jo WillaertVice President

Julia GrahamPresident

Fernand De Winter

Treasurer

Three lines of defence

Source: ECIIA - Making the most of the Internal Audit Function

Risk management

“Why do you have brakes in a car? So you can drive faster safely. Why do you have good risk management? So you can pursue your business goals more energetically….” FT

"In an emergency the driver needs to know where the brakes are and how to use them properly. This is why you need good crisis management" …. JG

Old risk management

– Risk management as stand alone activity– Driven by audit – Based on rules – Of-the-shelf systems and solutions with pre-determined lists of risks– Focused only on threats– Mainly hard controls about tangible things – insurable– Artificially implemented or imposed – Stand-alone and not part of the business – Static, out-of-date – "we've done that" and filed away – Viewed as purely a cost overhead – Abandoned because nobody pays attention

Source: International Federation of Accountants - IFAC

No risk is an island

It's risk management Jim but not as we've known it

A strategic business discipline that supports the achievement of the organisation's objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio

New risk management

– Risk management driven by objectives– Board and management driven – by example and from the top of the business– Based on principles and not rules– Tailor made to the business – Focused on opportunities as well as threats– As much about social / human / cultural aspects – not insurable– Organically implemented– "Part of the way we do things here" - integrated – Dynamic, evolving – not left on a shelf– Creates results and add value – with measures– Supported and long term

Source: International Federation of Accountants - IFAC

Leadership in risk management

• Board level supervision of risk management increasing and there is increasingly a role for leadership of risk management

• The majority of companies have education and review processes in place that keep the Board informed about risk exposures

• Most think communication between the Board and the "CRO" could be better• Companies aspire to improve the link between risk management and strategic

planning• Risk management has some way to go to use the risk management function for

making more effective strategic decisions• Risk-based incentives as part of remuneration slow• Brand and reputation rising concerns• Some executives and "experts" cite lack of risk management talent as an important

area especially in emerging products and markets• Processes to define risk appetite now in place at nearly half of the companies

Source: Leadership in Risk Management – Zurich, Harvard, FERMA and PRIMO

The first standards committee

Standards commonly used

Source: RIMS 2013 Benchmark Survey Produced by AdvisenAll rights reserved.

ISO 31000 up 5% from 2011

COSO up 2% from 2011

COSO ERM and ISO 31000 are different

Preferences can vary bias - audit and risk

COSO ISO 31000

Lengthy Short

Focused on ERM General approach to managing risk

One cube Framework and process

Skewed to negative Risk can be positive or negative

Risk already exists Risk tied to achieving objectives

Risk & opportunities Opportunities also source of risk

More sequential process More iterative process

Many organisations use COSO and ISO 31000

Reputation is now higher in our risk thinking

Reputations take years to build and minutes to destroy More than giving correct advice and more than a brand

– understanding the value of reputation - often the largest asset – taking ownership of reputation– having a holistic and systematic risk management process– understanding the expectations of our clients– identifying the main causes of risk– applying joined up management– viewing reputation as a risk consequence– having good crisis management for when things go wrong

Roads to Resilience "future proofing"

The next risk management generation Capability to deal with the unexpected Everyone acutely aware of risk – "bristling with risk awareness" Not a special function – everyone's job Widening scope of risk Widening of knowledge and skills for the "risk manager" Moving away from physical assets and people Client experience, brand and reputation key assets The range of assets at risk has changed In the world of social media firms cannot risk manage as if nothing has changed Risk management more facilitators than managers All levels of risk embraced

Evolution from risk management to building resilience

Principles of the resilient organisation

Exceptional radar Value and build strong relationships internally and externally Leaders that are respected and respectful The ability to respond rapidly Diversified resources We live and work in a riskier world Top Management

– Board directors believe that they should spend more time on strategy, talent and risk

Risk Managers– Risk managers must develop business leadership skills, become a business

discipline and add significant value - or stay as fragmented technical people called upon only when needed

Source: Roads to Resilience AIRMIC

Challenges to achieving resilience

The Risk Manager Overcoming barriers

– don't over analyse The role is changing

– no hiding behind rules and regulations– valued senior advisor– get out and engage

More about culture, behaviour, mind-set and insights

Enablers and behaviours People and culture Business structure Strategy, tactics and operations Leadership and governance

Risk management will become risk leadership

Position risk management will continue to assume a higher priority strong board involvement advocated to facilitate strategic and enterprise-wide risk more energy devoted to defining risk appetite, tracking, measuring and analysing risk

Challenges risk ownership and communication at all levels links between risk management and strategic planning and management communication between the board and risk management risk based incentives risk management talent pool with the right talent risk forecasting

Evidence to suggest that well risk managed businesses will be more profitable

Risk management will be recognised as a profession

What profession? Predicted that there will be fewer but more senior professionals

– as risk management matures and moves towards first line management The profession is generic and requires definition Professional certification:

– knowledge– experience– ethics– continuing professional development– business and operational model

Some similarities to Non Executive Directors Watch this space ….

Diversity in the teams works

In summary

Effective risk management is NOT just about compliance Risk is at the heart of strategy and effective risk management should be an enabler

and a potential differentiator Growth in a flat market can only be achieved by taking risks – these must be calculated

and transparent Reputation is critical and reputation risk management should be prioritised The tone is set at the top and the C-suite will take a stronger role in leading the risk

management effort in Europe The information required to take risk aware decisions is most likely to exist already

inside the company Risk management must be owned by the business Risk managers must be fit for the challenge

Knowledge

Skills

EthicsCPD

Business model

What FERMA is doing

25